Check resource change history in AWS Config

TOC

Check resource change history in AWS Config

The following page is an introduction to AWS Config, which shows how to audit the enable/disable of logging settings for S3 buckets.

あわせて読みたい
Introduction to AWS Config with CFN – Auditing S3 Bucket Logging Settings 【Introduction to AWS Config with CFN - Auditing S3 Bucket Logging Settings】 AWS Config is a service for evaluating and auditing resource configurations. AW...

In this article, we will use AWS Config to check the change history of a resource.

Environment

Diagram of check resource change history in AWS Config

The configuration is the same as in the page introduced at the beginning of this article.

Create two S3 buckets.

The first bucket is for verification.
The logging feature is enabled.
We will disable it manually later.

The second is the bucket used for AWS Config action.
It stores data related to the configuration and modification status of AWS resources.

CloudFormation Template Files

The above configuration is built using CloudFormation.
The CloudFormation templates are located at the following URL

https://github.com/awstut-an-r/awstut-fa/tree/main/098

Explanation of key points of the template files

Basically, it is the same as the page introduced at the beginning of this document.

However, AWS Config rules are not created this time because they are unnecessary.

Architecting

Using CloudFormation, we will build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

After checking the resources in each stack, information on the main resources created this time is as follows

  • Bucket for AWS Config: fa-098-config
  • Bucket for auditing: fa-098-logging-enabled

Confirm the created resources from the AWS Management Console.
Check AWS Config.

Detail of AWS Config 1.

You can see that it is working properly.

Check the Resource inventory.

Detail of AWS Config 2.

After selecting the resource type, etc., enter the bucket name, and the S3 bucket created this time will be displayed.

Click on the bucket name to check the details.

Detail of AWS Config 3.

You can check the detailed information of the bucket.

Click Resource Timeline to check the change history.

Detail of AWS Config 4.

Events related to the S3 bucket will be displayed in a timeline format.
This allows you to see the date and time when the bucket was created or the logging feature was enabled.
These are the API call history recorded in CloudTrail.

Checking Operation

We are ready to go.

Change the S3 bucket settings with a different IAM user (awstut) than before.
Specifically, disable the logging function.

Detail of S3 Bucket.

Access AWS Config again and check the timeline of the S3 bucket.

Detail of AWS Config 5.

You will see that an event has been added.
We can see that a user named awstut has configured the logging feature operation.

Thus, by using AWS Config, we were able to check the change history of the resource.

Summary

We have shown you how to check the change history of a resource using AWS Config.

TOC